1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
4 * Copyright (C) 2020 g10 Code GmbH
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
29 #include "../common/util.h"
31 #include "../common/iobuf.h"
36 #include "../common/status.h"
37 #include "../common/i18n.h"
39 #include "keyserver-internal.h"
41 #include "../common/mbox-util.h"
42 #include "call-dirmngr.h"
43 #include "../common/compliance.h"
45 /* Put an upper limit on nested packets. The 32 is an arbitrary
46 value, a much lower should actually be sufficient. */
47 #define MAX_NESTING_DEPTH 32
50 /* An object to build a list of keyid related info. */
53 struct kidlist_item *next;
61 * Object to hold the processing context.
63 typedef struct mainproc_context *CTX;
64 struct mainproc_context
67 struct mainproc_context *anchor; /* May be useful in the future. */
68 PKT_public_key *last_pubkey;
69 PKT_user_id *last_user_id;
70 md_filter_context_t mfx;
71 int sigs_only; /* Process only signatures and reject all other stuff. */
72 int encrypt_only; /* Process only encryption messages. */
74 /* Name of the file with the complete signature or the file with the
75 detached signature. This is currently only used to deduce the
76 file name of the data file if that has not been given. */
77 const char *sigfilename;
79 /* A structure to describe the signed data in case of a detached
83 /* A file descriptor of the signed data. Only used if not -1. */
85 /* A list of filenames with the data files or NULL. This is only
86 used if DATA_FD is -1. */
88 /* Flag to indicated that either one of the next previous fields
89 is used. This is only needed for better readability. */
94 int last_was_session_key;
95 kbnode_t list; /* The current list of packets. */
96 iobuf_t iobuf; /* Used to get the filename etc. */
97 int trustletter; /* Temporary usage in list_node. */
98 ulong symkeys; /* Number of symmetrically encrypted session keys. */
99 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */
102 unsigned int sig_seen:1; /* Set to true if a signature packet
104 unsigned int data:1; /* Any data packet seen */
105 unsigned int uncompress_failed:1;
110 /* Counter with the number of literal data packets seen. Note that
111 * this is also bumped at the end of an encryption. This counter is
112 * used for a basic consistency check of a received PGP message. */
113 static int literals_seen;
116 /*** Local prototypes. ***/
117 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
118 static void list_node (CTX c, kbnode_t node);
119 static void proc_tree (CTX c, kbnode_t node);
124 /* Reset the literal data counter. This is required to setup a new
125 * decryption or verification context. */
127 reset_literals_seen(void)
134 release_list( CTX c )
136 proc_tree (c, c->list);
137 release_kbnode (c->list);
138 while (c->pkenc_list)
140 struct kidlist_item *tmp = c->pkenc_list->next;
141 xfree (c->pkenc_list);
144 c->pkenc_list = NULL;
147 c->any.uncompress_failed = 0;
148 c->last_was_session_key = 0;
149 c->seen_pkt_encrypted_aead = 0;
156 add_onepass_sig (CTX c, PACKET *pkt)
160 if (c->list) /* Add another packet. */
161 add_kbnode (c->list, new_kbnode (pkt));
162 else /* Insert the first one. */
163 c->list = node = new_kbnode (pkt);
170 add_gpg_control (CTX c, PACKET *pkt)
172 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
174 /* New clear text signature.
175 * Process the last one and reset everything */
179 if (c->list) /* Add another packet. */
180 add_kbnode (c->list, new_kbnode (pkt));
181 else /* Insert the first one. */
182 c->list = new_kbnode (pkt);
189 add_user_id (CTX c, PACKET *pkt)
193 log_error ("orphaned user ID\n");
196 add_kbnode (c->list, new_kbnode (pkt));
202 add_subkey (CTX c, PACKET *pkt)
206 log_error ("subkey w/o mainkey\n");
209 add_kbnode (c->list, new_kbnode (pkt));
215 add_ring_trust (CTX c, PACKET *pkt)
219 log_error ("ring trust w/o key\n");
222 add_kbnode (c->list, new_kbnode (pkt));
228 add_signature (CTX c, PACKET *pkt)
233 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
235 /* This is the first signature for the following datafile.
236 * GPG does not write such packets; instead it always uses
237 * onepass-sig packets. The drawback of PGP's method
238 * of prepending the signature to the data is
239 * that it is not possible to make a signature from data read
240 * from stdin. (GPG is able to read PGP stuff anyway.) */
241 node = new_kbnode (pkt);
246 return 0; /* oops (invalid packet sequence)*/
247 else if (!c->list->pkt)
248 BUG(); /* so nicht */
250 /* Add a new signature node item at the end. */
251 node = new_kbnode (pkt);
252 add_kbnode (c->list, node);
259 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
263 enum gcry_cipher_modes ciphermode;
264 unsigned int noncelen, keylen;
268 err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen);
274 ciphermode = GCRY_CIPHER_MODE_CFB;
278 /* Check that the session key has a size of 16 to 32 bytes. */
279 if ((dek->use_aead && (slen < (noncelen + 16 + 16)
280 || slen > (noncelen + 32 + 16)))
281 || (!dek->use_aead && (slen < 17 || slen > 33)))
283 log_error ( _("weird size for an encrypted session key (%d)\n"),
285 return gpg_error (GPG_ERR_BAD_KEY);
288 err = openpgp_cipher_open (&hd, dek->algo, ciphermode, 1);
290 err = gcry_cipher_setkey (hd, dek->key, dek->keylen);
292 err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen);
300 ad[0] = (0xc0 | PKT_SYMKEY_ENC);
303 ad[3] = dek->use_aead;
304 err = gcry_cipher_authenticate (hd, ad, 4);
307 gcry_cipher_final (hd);
308 keylen = slen - noncelen - 16;
309 err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0);
312 err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16);
315 /* Now we replace the dek components with the real session key to
316 * decrypt the contents of the sequencing packet. */
317 if (keylen > DIM(dek->key))
319 err = gpg_error (GPG_ERR_TOO_LARGE);
322 dek->keylen = keylen;
323 memcpy (dek->key, seskey + noncelen, dek->keylen);
327 gcry_cipher_decrypt (hd, seskey, slen, NULL, 0);
329 /* Here we can only test whether the algo given in decrypted
330 * session key is a valid OpenPGP algo. With 11 defined
331 * symmetric algorithms we will miss 4.3% of wrong passphrases
332 * here. The actual checking is done later during bulk
333 * decryption; we can't bring this check forward easily. We
334 * need to use the GPG_ERR_CHECKSUM so that we won't run into
335 * the gnupg < 2.2 bug compatible case which would terminate the
336 * process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above)
337 * we will have a reliable test here. */
338 if (openpgp_cipher_test_algo (seskey[0])
339 || openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1)
341 err = gpg_error (GPG_ERR_CHECKSUM);
345 /* Now we replace the dek components with the real session key to
346 * decrypt the contents of the sequencing packet. */
348 if (keylen > DIM(dek->key))
350 err = gpg_error (GPG_ERR_TOO_LARGE);
353 dek->algo = seskey[0];
354 dek->keylen = slen-1;
355 memcpy (dek->key, seskey + 1, dek->keylen);
358 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
361 gcry_cipher_close (hd);
367 proc_symkey_enc (CTX c, PACKET *pkt)
372 enc = pkt->pkt.symkey_enc;
374 log_error ("invalid symkey encrypted packet\n");
377 int algo = enc->cipher_algo;
378 const char *s = openpgp_cipher_algo_name (algo);
379 const char *a = (enc->aead_algo ? openpgp_aead_algo_name (enc->aead_algo)
382 if (!openpgp_cipher_test_algo (algo))
386 /* Note: TMPSTR is only used to avoid i18n changes. */
387 char *tmpstr = xstrconcat (s, ".", a, NULL);
389 log_info (_("%s encrypted session key\n"), tmpstr);
391 log_info (_("%s encrypted data\n"), tmpstr);
397 log_error (_("encrypted with unknown algorithm %d\n"), algo);
398 s = NULL; /* Force a goto leave. */
401 if (openpgp_md_test_algo (enc->s2k.hash_algo))
403 log_error(_("passphrase generated with unknown digest"
404 " algorithm %d\n"),enc->s2k.hash_algo);
408 c->last_was_session_key = 2;
409 if (!s || opt.list_only)
412 if (opt.override_session_key)
414 c->dek = xmalloc_clear (sizeof *c->dek);
415 if (get_override_session_key (c->dek, opt.override_session_key))
423 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL,
424 GETPASSWORD_FLAG_SYMDECRYPT, NULL);
427 c->dek->symmetric = 1;
428 c->dek->use_aead = enc->aead_algo;
430 /* FIXME: This doesn't work perfectly if a symmetric key
431 comes before a public key in the message - if the
432 user doesn't know the passphrase, then there is a
433 chance that the "decrypted" algorithm will happen to
434 be a valid one, which will make the returned dek
435 appear valid, so we won't try any public keys that
439 err = symkey_decrypt_seskey (c->dek,
440 enc->seskey, enc->seskeylen);
443 log_info ("decryption of the symmetrically encrypted"
444 " session key failed: %s\n",
446 if (gpg_err_code (err) != GPG_ERR_BAD_KEY
447 && gpg_err_code (err) != GPG_ERR_CHECKSUM)
448 log_fatal ("process terminated to be bug compatible\n");
449 if (c->dek->s2k_cacheid[0])
452 log_debug ("cleared passphrase cached with ID:"
453 " %s\n", c->dek->s2k_cacheid);
454 passphrase_clear_cache (c->dek->s2k_cacheid);
461 c->dek->algo_info_printed = 1;
468 free_packet (pkt, NULL);
473 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
478 /* Check whether the secret key is available and store in this case. */
479 c->last_was_session_key = 1;
480 enc = pkt->pkt.pubkey_enc;
481 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
482 /* Hmmm: why do I have this algo check here - anyway there is
483 * function to check it. */
485 log_info (_("public key is %s\n"), keystr (enc->keyid));
487 if (is_status_enabled())
490 /* FIXME: For ECC support we need to map the OpenPGP algo number
491 to the Libgcrypt defined one. This is due a chicken-egg
492 problem: We need to have code in Libgcrypt for a new
493 algorithm so to implement a proposed new algorithm before the
494 IANA will finally assign an OpenPGP identifier. */
495 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
496 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
497 write_status_text (STATUS_ENC_TO, buf);
500 if (!opt.list_only && opt.override_session_key)
502 /* It does not make much sense to store the session key in
503 * secure memory because it has already been passed on the
504 * command line and the GCHQ knows about it. */
505 c->dek = xmalloc_clear (sizeof *c->dek);
506 result = get_override_session_key (c->dek, opt.override_session_key);
513 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
514 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
515 || enc->pubkey_algo == PUBKEY_ALGO_RSA
516 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
517 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
519 /* Note that we also allow type 20 Elgamal keys for decryption.
520 There are still a couple of those keys in active use as a
523 /* FIXME: Store this all in a list and process it later so that
524 we can prioritize what key to use. This gives a better user
525 experience if wildcard keyids are used. */
526 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
527 || opt.try_all_secrets
528 || have_secret_key_with_kid (enc->keyid)))
531 result = GPG_ERR_MISSING_ACTION; /* fixme: Use better error code. */
534 c->dek = xmalloc_secure_clear (sizeof *c->dek);
535 if ((result = get_session_key (ctrl, enc, c->dek)))
537 /* Error: Delete the DEK. */
544 result = GPG_ERR_NO_SECKEY;
547 result = GPG_ERR_PUBKEY_ALGO;
551 /* Store it for later display. */
552 struct kidlist_item *x = xmalloc (sizeof *x);
553 x->kid[0] = enc->keyid[0];
554 x->kid[1] = enc->keyid[1];
555 x->pubkey_algo = enc->pubkey_algo;
557 x->next = c->pkenc_list;
560 if (!result && opt.verbose > 1)
561 log_info (_("public key encrypted data: good DEK\n"));
564 free_packet(pkt, NULL);
569 * Print the list of public key encrypted packets which we could
573 print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
575 for (; list; list = list->next)
580 if (failed && !list->reason)
582 if (!failed && list->reason)
585 algstr = openpgp_pk_algo_name (list->pubkey_algo);
586 pk = xmalloc_clear (sizeof *pk);
590 pk->pubkey_algo = list->pubkey_algo;
591 if (!get_pubkey (ctrl, pk, list->kid))
594 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
595 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
596 strtimestamp (pk->timestamp));
597 p = get_user_id_native (ctrl, list->kid);
598 log_printf (_(" \"%s\"\n"), p);
602 log_info (_("encrypted with %s key, ID %s\n"),
603 algstr, keystr(list->kid));
605 free_public_key (pk);
607 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
609 if (is_status_enabled())
612 snprintf (buf, sizeof buf, "%08lX%08lX",
613 (ulong)list->kid[0], (ulong)list->kid[1]);
614 write_status_text (STATUS_NO_SECKEY, buf);
617 else if (gpg_err_code (list->reason) == GPG_ERR_MISSING_ACTION)
619 /* Not tested for secret key due to --list-only mode. */
621 else if (list->reason)
623 log_info (_("public key decryption failed: %s\n"),
624 gpg_strerror (list->reason));
625 if (gpg_err_source (list->reason) == GPG_ERR_SOURCE_SCD
626 && gpg_err_code (list->reason) == GPG_ERR_INV_ID)
627 print_further_info ("a reason might be a card with replaced keys");
628 write_status_error ("pkdecrypt_failed", list->reason);
635 proc_encrypted (CTX c, PACKET *pkt)
638 int early_plaintext = literals_seen;
640 if (pkt->pkttype == PKT_ENCRYPTED_AEAD)
641 c->seen_pkt_encrypted_aead = 1;
645 log_info (_("WARNING: multiple plaintexts seen\n"));
646 write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA);
647 /* We fail only later so that we can print some more info first. */
653 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
654 else if (c->symkeys == 1)
655 log_info (_("encrypted with 1 passphrase\n"));
656 print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
657 print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
660 /* FIXME: Figure out the session key by looking at all pkenc packets. */
662 write_status (STATUS_BEGIN_DECRYPTION);
664 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
667 else if (!c->dek && !c->last_was_session_key)
671 STRING2KEY *s2k = NULL;
674 if (opt.override_session_key)
676 c->dek = xmalloc_clear (sizeof *c->dek);
677 result = get_override_session_key (c->dek, opt.override_session_key);
686 /* Assume this is old style conventional encrypted data. */
687 algo = opt.def_cipher_algo;
689 log_info (_("assuming %s encrypted data\n"),
690 openpgp_cipher_algo_name (algo));
691 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
693 algo = opt.def_cipher_algo;
695 algo = opt.s2k_cipher_algo;
696 log_info (_("IDEA cipher unavailable, "
697 "optimistically attempting to use %s instead\n"),
698 openpgp_cipher_algo_name (algo));
702 algo = CIPHER_ALGO_IDEA;
703 if (!opt.s2k_digest_algo)
705 /* If no digest is given we assume SHA-1. */
707 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
710 log_info (_("assuming %s encrypted data\n"), "IDEA");
713 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL,
714 GETPASSWORD_FLAG_SYMDECRYPT, &canceled);
716 c->dek->algo_info_printed = 1;
718 result = gpg_error (GPG_ERR_CANCELED);
720 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
724 result = GPG_ERR_NO_SECKEY;
726 /* Compute compliance with CO_DE_VS. */
727 if (!result && is_status_enabled ()
728 /* Symmetric encryption and asymmetric encryption voids compliance. */
729 && (c->symkeys != !!c->pkenc_list )
730 /* Overriding session key voids compliance. */
731 && !opt.override_session_key
732 /* Check symmetric cipher. */
733 && gnupg_gcrypt_is_compliant (CO_DE_VS)
734 && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
735 GCRY_CIPHER_MODE_CFB))
737 struct kidlist_item *i;
739 PKT_public_key *pk = xmalloc (sizeof *pk);
741 if ( !(c->pkenc_list || c->symkeys) )
742 log_debug ("%s: where else did the session key come from?\n", __func__);
744 /* Now check that every key used to encrypt the session key is
746 for (i = c->pkenc_list; i && compliant; i = i->next)
748 memset (pk, 0, sizeof *pk);
749 pk->pubkey_algo = i->pubkey_algo;
750 if (get_pubkey (c->ctrl, pk, i->kid) != 0
751 || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0,
752 pk->pkey, nbits_from_pk (pk), NULL))
754 release_public_key_parts (pk);
760 write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
761 gnupg_status_compliance_flag (CO_DE_VS),
768 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
770 /* Trigger the deferred error. */
771 if (!result && early_plaintext)
772 result = gpg_error (GPG_ERR_BAD_DATA);
777 && !opt.ignore_mdc_error
778 && !pkt->pkt.encrypted->mdc_method
779 && !pkt->pkt.encrypted->aead_algo)
781 /* The message has been decrypted but does not carry an MDC.
782 * The option --ignore-mdc-error has also not been used. To
783 * avoid attacks changing an MDC message to a non-MDC message,
785 log_error (_("WARNING: message was not integrity protected\n"));
786 if (!pkt->pkt.encrypted->mdc_method
787 && (openpgp_cipher_get_algo_blklen (c->dek->algo) == 8
788 || c->dek->algo == CIPHER_ALGO_TWOFISH))
790 /* Before 2.2.8 we did not fail hard for a missing MDC if
791 * one of the old ciphers where used. Although these cases
792 * are rare in practice we print a hint on how to decrypt
796 _("Hint: If this message was created before the year 2003 it is\n"
797 "likely that this message is legitimate. This is because back\n"
798 "then integrity protection was not widely used.\n"));
799 log_info (_("Use the option '%s' to decrypt anyway.\n"),
800 "--ignore-mdc-error");
801 write_status_errcode ("nomdc_with_legacy_cipher",
802 GPG_ERR_DECRYPT_FAILED);
804 log_info (_("decryption forced to fail!\n"));
805 write_status (STATUS_DECRYPTION_FAILED);
807 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
808 && !pkt->pkt.encrypted->aead_algo
809 && opt.ignore_mdc_error))
811 /* All is fine or for an MDC message the MDC failed but the
812 * --ignore-mdc-error option is active. For compatibility
813 * reasons we issue GOODMDC also for AEAD messages. */
814 write_status (STATUS_DECRYPTION_OKAY);
816 log_info(_("decryption okay\n"));
818 if (pkt->pkt.encrypted->aead_algo)
819 write_status (STATUS_GOODMDC);
820 else if (pkt->pkt.encrypted->mdc_method && !result)
821 write_status (STATUS_GOODMDC);
823 log_info (_("WARNING: message was not integrity protected\n"));
825 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
826 || gpg_err_code (result) == GPG_ERR_TRUNCATED)
828 glo_ctrl.lasterr = result;
829 log_error (_("WARNING: encrypted message has been manipulated!\n"));
830 write_status (STATUS_BADMDC);
831 write_status (STATUS_DECRYPTION_FAILED);
835 if ((gpg_err_code (result) == GPG_ERR_BAD_KEY
836 || gpg_err_code (result) == GPG_ERR_CHECKSUM
837 || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
838 && *c->dek->s2k_cacheid != '\0')
841 log_debug ("cleared passphrase cached with ID: %s\n",
842 c->dek->s2k_cacheid);
843 passphrase_clear_cache (c->dek->s2k_cacheid);
845 glo_ctrl.lasterr = result;
846 write_status (STATUS_DECRYPTION_FAILED);
847 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
848 /* Hmmm: does this work when we have encrypted using multiple
849 * ways to specify the session key (symmmetric and PK). */
854 free_packet (pkt, NULL);
855 c->last_was_session_key = 0;
856 write_status (STATUS_END_DECRYPTION);
858 /* Bump the counter even if we have not seen a literal data packet
859 * inside an encryption container. This acts as a sentinel in case
860 * a misplace extra literal data packets follows after this
861 * encrypted packet. */
867 have_seen_pkt_encrypted_aead( CTX c )
871 for (cc = c; cc; cc = cc->anchor)
873 if (cc->seen_pkt_encrypted_aead)
882 proc_plaintext( CTX c, PACKET *pkt )
884 PKT_plaintext *pt = pkt->pkt.plaintext;
885 int any, clearsig, rc;
888 /* This is a literal data packet. Bumb a counter for later checks. */
891 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
892 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
893 else if (opt.verbose)
895 /* We don't use print_utf8_buffer because that would require a
896 * string change which we don't want in 2.2. It is also not
897 * clear whether the filename is always utf-8 encoded. */
898 char *tmp = make_printable_string (pt->name, pt->namelen, 0);
899 log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
903 free_md_filter_context (&c->mfx);
904 if (gcry_md_open (&c->mfx.md, 0, 0))
906 /* fixme: we may need to push the textfilter if we have sigclass 1
907 * and no armoring - Not yet tested
908 * Hmmm, why don't we need it at all if we have sigclass 1
909 * Should we assume that plaintext in mode 't' has always sigclass 1??
910 * See: Russ Allbery's mail 1999-02-09
913 for (n=c->list; n; n = n->next )
915 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
917 /* The onepass signature case. */
918 if (n->pkt->pkt.onepass_sig->digest_algo)
920 if (!opt.skip_verify)
921 gcry_md_enable (c->mfx.md,
922 n->pkt->pkt.onepass_sig->digest_algo);
927 else if (n->pkt->pkttype == PKT_GPG_CONTROL
928 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
930 /* The clearsigned message case. */
931 size_t datalen = n->pkt->pkt.gpg_control->datalen;
932 const byte *data = n->pkt->pkt.gpg_control->data;
934 /* Check that we have at least the sigclass and one hash. */
936 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
937 /* Note that we don't set the clearsig flag for not-dash-escaped
939 clearsig = (*data == 0x01);
940 for (data++, datalen--; datalen; datalen--, data++)
941 if (!opt.skip_verify)
942 gcry_md_enable (c->mfx.md, *data);
944 break; /* Stop here as one-pass signature packets are not
947 else if (n->pkt->pkttype == PKT_SIGNATURE)
949 /* The SIG+LITERAL case that PGP used to use. */
950 if (!opt.skip_verify)
951 gcry_md_enable (c->mfx.md, n->pkt->pkt.signature->digest_algo);
956 if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead(c))
958 /* This is for the old GPG LITERAL+SIG case. It's not legal
959 according to 2440, so hopefully it won't come up that often.
960 There is no good way to specify what algorithms to use in
961 that case, so these there are the historical answer. */
962 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
963 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
967 gcry_md_debug (c->mfx.md, "verify");
969 gcry_md_debug (c->mfx.md2, "verify2");
974 if (literals_seen > 1)
976 log_info (_("WARNING: multiple plaintexts seen\n"));
978 if (!opt.flags.allow_multiple_messages)
980 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
981 log_inc_errorcount ();
982 rc = gpg_error (GPG_ERR_UNEXPECTED);
988 /* It we are in --verify mode, we do not want to output the
989 * signed text. However, if --output is also used we do what
990 * has been requested and write out the signed data. */
991 rc = handle_plaintext (pt, &c->mfx,
992 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
994 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
996 /* Can't write output but we hash it anyway to check the
998 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
1003 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
1005 free_packet (pkt, NULL);
1006 c->last_was_session_key = 0;
1008 /* We add a marker control packet instead of the plaintext packet.
1009 * This is so that we can later detect invalid packet sequences. */
1010 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
1012 add_kbnode (c->list, n);
1019 proc_compressed_cb (iobuf_t a, void *info)
1021 if ( ((CTX)info)->signed_data.used
1022 && ((CTX)info)->signed_data.data_fd != -1)
1023 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
1024 ((CTX)info)->signed_data.data_fd);
1026 return proc_signature_packets (((CTX)info)->ctrl, info, a,
1027 ((CTX)info)->signed_data.data_names,
1028 ((CTX)info)->sigfilename );
1033 proc_encrypt_cb (iobuf_t a, void *info )
1036 return proc_encryption_packets (c->ctrl, info, a );
1041 proc_compressed (CTX c, PACKET *pkt)
1043 PKT_compressed *zd = pkt->pkt.compressed;
1046 /*printf("zip: compressed data packet\n");*/
1048 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
1049 else if( c->encrypt_only )
1050 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
1052 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
1054 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
1056 if (!c->any.uncompress_failed)
1060 for (cc=c; cc; cc = cc->anchor)
1061 cc->any.uncompress_failed = 1;
1062 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1066 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1068 free_packet (pkt, NULL);
1069 c->last_was_session_key = 0;
1075 * Check the signature. If R_PK is not NULL a copy of the public key
1076 * used to verify the signature will be stored there, or NULL if not
1077 * found. If FORCED_PK is not NULL, this public key is used to verify
1078 * _data signatures_ and no key lookup is done. Returns: 0 = valid
1079 * signature or an error code
1082 do_check_sig (CTX c, kbnode_t node,
1083 PKT_public_key *forced_pk, int *is_selfsig,
1084 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
1087 gcry_md_hd_t md = NULL;
1088 gcry_md_hd_t md2 = NULL;
1089 gcry_md_hd_t md_good = NULL;
1095 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
1098 sig = node->pkt->pkt.signature;
1100 algo = sig->digest_algo;
1101 rc = openpgp_md_test_algo (algo);
1105 if (sig->sig_class == 0x00)
1109 if (gcry_md_copy (&md, c->mfx.md ))
1112 else /* detached signature */
1114 /* check_signature() will enable the md. */
1115 if (gcry_md_open (&md, 0, 0 ))
1119 else if (sig->sig_class == 0x01)
1121 /* How do we know that we have to hash the (already hashed) text
1122 in canonical mode ??? (calculating both modes???) */
1125 if (gcry_md_copy (&md, c->mfx.md ))
1127 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
1130 else /* detached signature */
1132 log_debug ("Do we really need this here?");
1133 /* check_signature() will enable the md*/
1134 if (gcry_md_open (&md, 0, 0 ))
1136 if (gcry_md_open (&md2, 0, 0 ))
1140 else if ((sig->sig_class&~3) == 0x10
1141 || sig->sig_class == 0x18
1142 || sig->sig_class == 0x1f
1143 || sig->sig_class == 0x20
1144 || sig->sig_class == 0x28
1145 || sig->sig_class == 0x30)
1147 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1148 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1150 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
1152 else if (sig->sig_class == 0x20)
1154 log_error (_("standalone revocation - "
1155 "use \"gpg --import\" to apply\n"));
1156 return GPG_ERR_NOT_PROCESSED;
1160 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
1161 return GPG_ERR_SIG_CLASS;
1165 return GPG_ERR_SIG_CLASS;
1167 /* We only get here if we are checking the signature of a binary
1168 (0x00) or text document (0x01). */
1169 rc = check_signature2 (c->ctrl, sig, md,
1171 NULL, is_expkey, is_revkey, r_pk);
1174 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
1176 PKT_public_key *pk2;
1178 rc = check_signature2 (c->ctrl, sig, md2,
1180 NULL, is_expkey, is_revkey,
1187 free_public_key (*r_pk);
1195 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1196 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1197 memcpy (sig->digest, buffer, sig->digest_len);
1201 gcry_md_close (md2);
1208 print_userid (PACKET *pkt)
1213 if (pkt->pkttype != PKT_USER_ID)
1215 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1218 if (opt.with_colons)
1220 if (pkt->pkt.user_id->attrib_data)
1222 pkt->pkt.user_id->numattribs,
1223 pkt->pkt.user_id->attrib_len);
1225 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1226 pkt->pkt.user_id->len, ":", NULL);
1229 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1230 pkt->pkt.user_id->len );
1235 * List the keyblock in a user friendly way
1238 list_node (CTX c, kbnode_t node)
1242 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1243 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1245 PKT_public_key *pk = node->pkt->pkt.public_key;
1247 if (opt.with_colons)
1251 keyid_from_pk( pk, keyid );
1252 if (pk->flags.primary)
1253 c->trustletter = (opt.fast_list_mode
1257 node->pkt->pkttype == PKT_PUBLIC_KEY
1260 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1262 es_putc (c->trustletter, es_stdout);
1263 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1264 nbits_from_pk( pk ),
1266 (ulong)keyid[0],(ulong)keyid[1],
1267 colon_datestr_from_pk( pk ),
1268 colon_strtime (pk->expiredate) );
1269 if (pk->flags.primary && !opt.fast_list_mode)
1270 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1271 es_putc (':', es_stdout);
1272 es_putc ('\n', es_stdout);
1276 print_key_line (c->ctrl, es_stdout, pk, 0);
1279 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1280 ; /* Already printed. */
1281 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1282 print_fingerprint (c->ctrl, NULL, pk, 0);
1284 if (pk->flags.primary)
1286 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1288 /* Now list all userids with their signatures. */
1289 for (node = node->next; node; node = node->next)
1291 if (node->pkt->pkttype == PKT_SIGNATURE)
1293 list_node (c, node );
1295 else if (node->pkt->pkttype == PKT_USER_ID)
1297 if (opt.with_colons)
1298 es_printf ("%s:::::::::",
1299 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1301 es_printf ("uid%*s",
1302 kl + (opt.legacy_list_mode? 9:11),
1304 print_userid (node->pkt);
1305 if (opt.with_colons)
1306 es_putc (':', es_stdout);
1307 es_putc ('\n', es_stdout);
1309 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1311 list_node(c, node );
1316 else if (node->pkt->pkttype == PKT_SECRET_KEY
1317 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1320 log_debug ("FIXME: No way to print secret key packets here\n");
1321 /* fixme: We may use a function to turn a secret key packet into
1322 a public key one and use that here. */
1324 else if (node->pkt->pkttype == PKT_SIGNATURE)
1326 PKT_signature *sig = node->pkt->pkt.signature;
1336 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1337 es_fputs ("rev", es_stdout);
1339 es_fputs ("sig", es_stdout);
1343 rc2 = do_check_sig (c, node, NULL, &is_selfsig, NULL, NULL, NULL);
1344 switch (gpg_err_code (rc2))
1346 case 0: sigrc = '!'; break;
1347 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1348 case GPG_ERR_NO_PUBKEY:
1349 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1350 default: sigrc = '%'; break;
1353 else /* Check whether this is a self signature. */
1357 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1358 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1360 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1362 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1367 if (opt.with_colons)
1369 es_putc (':', es_stdout);
1371 es_putc (sigrc, es_stdout);
1372 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1373 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1374 colon_datestr_from_sig (sig),
1375 colon_expirestr_from_sig (sig));
1377 if (sig->trust_depth || sig->trust_value)
1378 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1379 es_putc (':', es_stdout);
1381 if (sig->trust_regexp)
1382 es_write_sanitized (es_stdout, sig->trust_regexp,
1383 strlen (sig->trust_regexp), ":", NULL);
1384 es_putc (':', es_stdout);
1387 es_printf ("%c %s %s ",
1388 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1390 es_printf ("[%s] ", gpg_strerror (rc2) );
1391 else if (sigrc == '?')
1393 else if (is_selfsig)
1395 if (opt.with_colons)
1396 es_putc (':', es_stdout);
1397 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1398 if (opt.with_colons)
1399 es_putc (':', es_stdout);
1401 else if (!opt.fast_list_mode)
1403 p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
1404 es_write_sanitized (es_stdout, p, n,
1405 opt.with_colons?":":NULL, NULL );
1408 if (opt.with_colons)
1409 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1410 es_putc ('\n', es_stdout);
1413 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1418 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1421 CTX c = xmalloc_clear (sizeof *c);
1425 rc = do_proc_packets (ctrl, c, a);
1433 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1434 strlist_t signedfiles, const char *sigfilename )
1436 CTX c = xmalloc_clear (sizeof *c);
1443 c->signed_data.data_fd = -1;
1444 c->signed_data.data_names = signedfiles;
1445 c->signed_data.used = !!signedfiles;
1447 c->sigfilename = sigfilename;
1448 rc = do_proc_packets (ctrl, c, a);
1450 /* If we have not encountered any signature we print an error
1451 messages, send a NODATA status back and return an error code.
1452 Using log_error is required because verify_files does not check
1453 error codes for each file but we want to terminate the process
1455 if (!rc && !c->any.sig_seen)
1457 write_status_text (STATUS_NODATA, "4");
1458 log_error (_("no signature found\n"));
1459 rc = GPG_ERR_NO_DATA;
1462 /* Propagate the signature seen flag upward. Do this only on success
1463 so that we won't issue the nodata status several times. */
1464 if (!rc && c->anchor && c->any.sig_seen)
1465 c->anchor->any.sig_seen = 1;
1473 proc_signature_packets_by_fd (ctrl_t ctrl,
1474 void *anchor, iobuf_t a, int signed_data_fd )
1479 c = xtrycalloc (1, sizeof *c);
1481 return gpg_error_from_syserror ();
1487 c->signed_data.data_fd = signed_data_fd;
1488 c->signed_data.data_names = NULL;
1489 c->signed_data.used = (signed_data_fd != -1);
1491 rc = do_proc_packets (ctrl, c, a);
1493 /* If we have not encountered any signature we print an error
1494 messages, send a NODATA status back and return an error code.
1495 Using log_error is required because verify_files does not check
1496 error codes for each file but we want to terminate the process
1498 if (!rc && !c->any.sig_seen)
1500 write_status_text (STATUS_NODATA, "4");
1501 log_error (_("no signature found\n"));
1502 rc = gpg_error (GPG_ERR_NO_DATA);
1505 /* Propagate the signature seen flag upward. Do this only on success
1506 so that we won't issue the nodata status several times. */
1507 if (!rc && c->anchor && c->any.sig_seen)
1508 c->anchor->any.sig_seen = 1;
1516 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1518 CTX c = xmalloc_clear (sizeof *c);
1523 c->encrypt_only = 1;
1524 rc = do_proc_packets (ctrl, c, a);
1531 check_nesting (CTX c)
1535 for (level=0; c; c = c->anchor)
1538 if (level > MAX_NESTING_DEPTH)
1540 log_error ("input data with too deeply nested packets\n");
1541 write_status_text (STATUS_UNEXPECTED, "1");
1542 return GPG_ERR_BAD_DATA;
1550 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1553 struct parse_packet_ctx_s parsectx;
1558 rc = check_nesting (c);
1562 pkt = xmalloc( sizeof *pkt );
1565 init_parse_packet (&parsectx, a);
1566 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1571 free_packet (pkt, &parsectx);
1572 /* Stop processing when an invalid packet has been encountered
1573 * but don't do so when we are doing a --list-packets. */
1574 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1575 && opt.list_packets == 0)
1580 if (opt.list_packets)
1582 switch (pkt->pkttype)
1584 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1585 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1587 case PKT_ENCRYPTED_MDC:
1588 case PKT_ENCRYPTED_AEAD:proc_encrypted (c, pkt); break;
1589 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1590 default: newpkt = 0; break;
1593 else if (c->sigs_only)
1595 switch (pkt->pkttype)
1597 case PKT_PUBLIC_KEY:
1598 case PKT_SECRET_KEY:
1600 case PKT_SYMKEY_ENC:
1601 case PKT_PUBKEY_ENC:
1603 case PKT_ENCRYPTED_MDC:
1604 case PKT_ENCRYPTED_AEAD:
1605 write_status_text( STATUS_UNEXPECTED, "0" );
1606 rc = GPG_ERR_UNEXPECTED;
1609 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1610 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1611 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1612 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1613 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1614 default: newpkt = 0; break;
1617 else if (c->encrypt_only)
1619 switch (pkt->pkttype)
1621 case PKT_PUBLIC_KEY:
1622 case PKT_SECRET_KEY:
1624 write_status_text (STATUS_UNEXPECTED, "0");
1625 rc = GPG_ERR_UNEXPECTED;
1628 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1629 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1630 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1632 case PKT_ENCRYPTED_MDC:
1633 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1634 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1635 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1636 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1637 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1638 default: newpkt = 0; break;
1643 switch (pkt->pkttype)
1645 case PKT_PUBLIC_KEY:
1646 case PKT_SECRET_KEY:
1648 c->list = new_kbnode (pkt);
1651 case PKT_PUBLIC_SUBKEY:
1652 case PKT_SECRET_SUBKEY:
1653 newpkt = add_subkey (c, pkt);
1655 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1656 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1657 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1658 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1660 case PKT_ENCRYPTED_MDC:
1661 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1662 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1663 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1664 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1665 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1666 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1667 default: newpkt = 0; break;
1674 /* This is a very ugly construct and frankly, I don't remember why
1675 * I used it. Adding the MDC check here is a hack.
1676 * The right solution is to initiate another context for encrypted
1677 * packet and not to reuse the current one ... It works right
1678 * when there is a compression packet between which adds just
1680 * Hmmm: Rewrite this whole module here??
1682 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1683 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1689 pkt = xmalloc (sizeof *pkt);
1693 free_packet (pkt, &parsectx);
1696 if (rc == GPG_ERR_INV_PACKET)
1697 write_status_text (STATUS_NODATA, "3");
1702 write_status_text (STATUS_NODATA, "2");
1708 free_packet (pkt, &parsectx);
1709 deinit_parse_packet (&parsectx);
1711 free_md_filter_context (&c->mfx);
1716 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1717 of the notation data. */
1719 get_pka_address (PKT_signature *sig)
1721 pka_info_t *pka = NULL;
1722 struct notation *nd,*notation;
1724 notation=sig_to_notation(sig);
1726 for(nd=notation;nd;nd=nd->next)
1728 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1729 continue; /* Not the notation we want. */
1731 /* For now we only use the first valid PKA notation. In future
1732 we might want to keep additional PKA notations in a linked
1734 if (is_valid_mailbox (nd->value))
1736 pka = xmalloc (sizeof *pka + strlen(nd->value));
1740 strcpy (pka->email, nd->value);
1745 free_notation(notation);
1751 /* Return the URI from a DNS PKA record. If this record has already
1752 be retrieved for the signature we merely return it; if not we go
1753 out and try to get that DNS record. */
1755 pka_uri_from_sig (CTX c, PKT_signature *sig)
1757 if (!sig->flags.pka_tried)
1759 log_assert (!sig->pka_info);
1760 sig->flags.pka_tried = 1;
1761 sig->pka_info = get_pka_address (sig);
1768 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1769 &fpr, &fprlen, &url))
1771 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1773 memcpy (sig->pka_info->fpr, fpr, fprlen);
1776 sig->pka_info->valid = 1;
1780 sig->pka_info->uri = url;
1789 return sig->pka_info? sig->pka_info->uri : NULL;
1793 /* Return true if the AKL has the WKD method specified. */
1795 akl_has_wkd_method (void)
1799 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1800 if (akl->type == AKL_WKD)
1806 /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
1807 * Returns NULL if not available. The returned buffer is valid as
1808 * long as SIG is not modified. */
1810 issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
1815 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1816 if (p && n == 21 && p[0] == 4)
1826 /* Return the ISSUER fingerprint string in human readable format if
1827 * available. Caller must release the string. */
1828 /* FIXME: Move to another file. */
1830 issuer_fpr_string (PKT_signature *sig)
1835 p = issuer_fpr_raw (sig, &n);
1836 return p? bin2hex (p, n, NULL) : NULL;
1841 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1842 PKT_signature *sig, int rc)
1846 write_status_text_and_buffer (statno, keyid_str,
1847 un? un->pkt->pkt.user_id->name:"[?]",
1848 un? un->pkt->pkt.user_id->len:3,
1852 p = utf8_to_native (un->pkt->pkt.user_id->name,
1853 un->pkt->pkt.user_id->len, 0);
1855 p = xstrdup ("[?]");
1858 log_info (_("BAD signature from \"%s\""), p);
1859 else if (sig->flags.expired)
1860 log_info (_("Expired signature from \"%s\""), p);
1862 log_info (_("Good signature from \"%s\""), p);
1869 check_sig_and_print (CTX c, kbnode_t node)
1871 PKT_signature *sig = node->pkt->pkt.signature;
1876 char *issuer_fpr = NULL;
1877 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1878 kbnode_t included_keyblock = NULL;
1880 if (opt.skip_verify)
1882 log_info(_("signature verification suppressed\n"));
1886 /* Check that the message composition is valid.
1888 * Per RFC-2440bis (-15) allowed:
1890 * S{1,n} -- detached signature.
1891 * S{1,n} P -- old style PGP2 signature
1892 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1893 * C P S{1,n} -- cleartext signature.
1896 * O = One-Pass Signature packet.
1897 * S = Signature packet.
1898 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1899 * (Note that the current rfc2440bis draft also allows
1900 * for a signed message but that does not work as it
1901 * introduces ambiguities.)
1902 * We keep track of these packages using the marker packet
1903 * CTRLPKT_PLAINTEXT_MARK.
1904 * C = Marker packet for cleartext signatures.
1906 * We reject all other messages.
1908 * Actually we are calling this too often, i.e. for verification of
1909 * each message but better have some duplicate work than to silently
1910 * introduce a bug here.
1914 int n_onepass, n_sig;
1916 /* log_debug ("checking signature packet composition\n"); */
1917 /* dump_kbnode (c->list); */
1921 if ( n->pkt->pkttype == PKT_SIGNATURE )
1923 /* This is either "S{1,n}" case (detached signature) or
1924 "S{1,n} P" (old style PGP2 signature). */
1925 for (n = n->next; n; n = n->next)
1926 if (n->pkt->pkttype != PKT_SIGNATURE)
1929 ; /* Okay, this is a detached signature. */
1930 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1931 && (n->pkt->pkt.gpg_control->control
1932 == CTRLPKT_PLAINTEXT_MARK) )
1935 goto ambiguous; /* We only allow one P packet. */
1940 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1942 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1943 for (n_onepass=1, n = n->next;
1944 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1946 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1947 && (n->pkt->pkt.gpg_control->control
1948 == CTRLPKT_PLAINTEXT_MARK)))
1950 for (n_sig=0, n = n->next;
1951 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1956 /* If we wanted to disallow multiple sig verification, we'd do
1957 something like this:
1959 if (n && !opt.allow_multisig_verification)
1962 However, now that we have --allow-multiple-messages, this
1963 can stay allowable as we can't get here unless multiple
1964 messages (i.e. multiple literals) are allowed. */
1966 if (n_onepass != n_sig)
1968 log_info ("number of one-pass packets does not match "
1969 "number of signature packets\n");
1973 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1974 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1976 /* This is the "C P S{1,n}" case (clear text signature). */
1978 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1979 && (n->pkt->pkt.gpg_control->control
1980 == CTRLPKT_PLAINTEXT_MARK)))
1982 for (n_sig=0, n = n->next;
1983 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1991 log_error(_("can't handle this ambiguous signature data\n"));
1996 if (sig->signers_uid)
1997 write_status_buffer (STATUS_NEWSIG,
1998 sig->signers_uid, strlen (sig->signers_uid), 0);
2000 write_status_text (STATUS_NEWSIG, NULL);
2002 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
2003 issuer_fpr = issuer_fpr_string (sig);
2007 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2008 log_info (_(" using %s key %s\n"),
2009 astr? astr: "?", issuer_fpr);
2012 else if (!keystrlen () || keystrlen () > 8)
2014 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2015 log_info (_(" using %s key %s\n"),
2016 astr? astr: "?", keystr(sig->keyid));
2018 else /* Legacy format. */
2019 log_info (_("Signature made %s using %s key ID %s\n"),
2020 asctimestamp(sig->timestamp), astr? astr: "?",
2021 keystr(sig->keyid));
2023 /* In verbose mode print the signers UID. */
2024 if (sig->signers_uid)
2025 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
2027 rc = do_check_sig (c, node, NULL, NULL, &is_expkey, &is_revkey, &pk);
2029 /* If the key is not found but the signature includes a key block we
2030 * use that key block for verification and on success import it. */
2031 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2032 && sig->flags.key_block
2033 && opt.flags.auto_key_import)
2035 PKT_public_key *included_pk;
2039 included_pk = xcalloc (1, sizeof *included_pk);
2040 kblock = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_BLOCK, &kblock_len);
2041 if (kblock && kblock_len > 1
2042 && !get_pubkey_from_buffer (c->ctrl, included_pk,
2043 kblock+1, kblock_len-1,
2044 sig->keyid, &included_keyblock))
2046 rc = do_check_sig (c, node, included_pk,
2047 NULL, &is_expkey, &is_revkey, &pk);
2050 /* The keyblock has been verified, we now import it. */
2051 rc = import_included_key_block (c->ctrl, included_keyblock);
2055 free_public_key (included_pk);
2058 /* If the key isn't found, check for a preferred keyserver. Note
2059 * that this is only done if honor-keyserver-url has been set. We
2060 * test for this in the loop so that we can show info about the
2061 * preferred keyservers. */
2062 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2063 && sig->flags.pref_ks)
2068 int any_pref_ks = 0;
2070 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
2072 /* According to my favorite copy editor, in English grammar,
2073 you say "at" if the key is located on a web page, but
2074 "from" if it is located on a keyserver. I'm not going to
2075 even try to make two strings here :) */
2076 log_info(_("Key available at: ") );
2077 print_utf8_buffer (log_get_stream(), p, n);
2081 if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2082 && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2084 struct keyserver_spec *spec;
2086 spec = parse_preferred_keyserver (sig);
2092 log_debug ("trying auto-key-retrieve method %s\n",
2095 free_public_key (pk);
2097 glo_ctrl.in_auto_key_retrieve++;
2098 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec,
2099 KEYSERVER_IMPORT_FLAG_QUICK);
2100 glo_ctrl.in_auto_key_retrieve--;
2102 rc = do_check_sig (c, node, NULL,
2103 NULL, &is_expkey, &is_revkey, &pk);
2104 else if (DBG_LOOKUP)
2105 log_debug ("lookup via %s failed: %s\n", "Pref-KS",
2106 gpg_strerror (res));
2107 free_keyserver_spec (spec);
2116 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2117 && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2118 log_info (_("Note: Use '%s' to make use of this info\n"),
2119 "--keyserver-option honor-keyserver-url");
2122 /* If the above methods didn't work, our next try is to retrieve the
2123 * key from the WKD. This requires that WKD is in the AKL and the
2124 * Signer's UID is in the signature. */
2125 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2126 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2127 && !opt.flags.disable_signer_uid
2128 && akl_has_wkd_method ()
2129 && sig->signers_uid)
2134 log_debug ("trying auto-key-retrieve method %s\n", "WKD");
2135 free_public_key (pk);
2137 glo_ctrl.in_auto_key_retrieve++;
2138 res = keyserver_import_wkd (c->ctrl, sig->signers_uid,
2139 KEYSERVER_IMPORT_FLAG_QUICK, NULL, NULL);
2140 glo_ctrl.in_auto_key_retrieve--;
2141 /* Fixme: If the fingerprint is embedded in the signature,
2142 * compare it to the fingerprint of the returned key. */
2144 rc = do_check_sig (c, node, NULL, NULL, &is_expkey, &is_revkey, &pk);
2145 else if (DBG_LOOKUP)
2146 log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res));
2149 /* If the avove methods didn't work, our next try is to use the URI
2150 * from a DNS PKA record. This is a legacy method which will
2151 * eventually be removed. */
2152 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2153 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2154 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
2156 const char *uri = pka_uri_from_sig (c, sig);
2160 /* FIXME: We might want to locate the key using the
2161 fingerprint instead of the keyid. */
2163 struct keyserver_spec *spec;
2165 spec = parse_keyserver_uri (uri, 1);
2169 log_debug ("trying auto-key-retrieve method %s\n", "PKA");
2171 free_public_key (pk);
2173 glo_ctrl.in_auto_key_retrieve++;
2174 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
2175 glo_ctrl.in_auto_key_retrieve--;
2176 free_keyserver_spec (spec);
2178 rc = do_check_sig (c, node, NULL,
2179 NULL, &is_expkey, &is_revkey, &pk);
2180 else if (DBG_LOOKUP)
2181 log_debug ("lookup via %s failed: %s\n", "PKA",
2182 gpg_strerror (res));
2187 /* If the above methods didn't work, our next try is to locate
2188 * the key via its fingerprint from a keyserver. This requires
2189 * that the signers fingerprint is encoded in the signature. */
2190 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2191 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2192 && keyserver_any_configured (c->ctrl))
2198 p = issuer_fpr_raw (sig, &n);
2201 /* v4 packet with a SHA-1 fingerprint. */
2203 log_debug ("trying auto-key-retrieve method %s\n", "KS");
2205 free_public_key (pk);
2207 glo_ctrl.in_auto_key_retrieve++;
2208 res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver,
2209 KEYSERVER_IMPORT_FLAG_QUICK);
2210 glo_ctrl.in_auto_key_retrieve--;
2212 rc = do_check_sig (c, node, NULL,
2213 NULL, &is_expkey, &is_revkey, &pk);
2214 else if (DBG_LOOKUP)
2215 log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res));
2219 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
2221 kbnode_t un, keyblock;
2225 PKT_public_key *mainpk = NULL;
2228 statno = STATUS_BADSIG;
2229 else if (sig->flags.expired)
2230 statno = STATUS_EXPSIG;
2232 statno = STATUS_EXPKEYSIG;
2234 statno = STATUS_REVKEYSIG;
2236 statno = STATUS_GOODSIG;
2238 /* FIXME: We should have the public key in PK and thus the
2239 * keyblock has already been fetched. Thus we could use the
2240 * fingerprint or PK itself to lookup the entire keyblock. That
2241 * would best be done with a cache. */
2242 if (included_keyblock)
2244 keyblock = included_keyblock;
2245 included_keyblock = NULL;
2248 keyblock = get_pubkeyblock_for_sig (c->ctrl, sig);
2250 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
2251 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2253 /* Find and print the primary user ID along with the
2254 "Good|Expired|Bad signature" line. */
2255 for (un=keyblock; un; un = un->next)
2259 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
2261 mainpk = un->pkt->pkt.public_key;
2264 if (un->pkt->pkttype != PKT_USER_ID)
2266 if (!un->pkt->pkt.user_id->created)
2268 if (un->pkt->pkt.user_id->flags.revoked)
2270 if (un->pkt->pkt.user_id->flags.expired)
2272 if (!un->pkt->pkt.user_id->flags.primary)
2274 /* We want the textual primary user ID here */
2275 if (un->pkt->pkt.user_id->attrib_data)
2278 log_assert (mainpk);
2280 /* Since this is just informational, don't actually ask the
2281 user to update any trust information. (Note: we register
2282 the signature later.) Because print_good_bad_signature
2283 does not print a LF we need to compute the validity
2284 before calling that function. */
2285 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2286 valid = get_validity (c->ctrl, keyblock, mainpk,
2287 un->pkt->pkt.user_id, NULL, 0);
2289 valid = 0; /* Not used. */
2291 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2293 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2295 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2296 log_printf (" [%s]\n",trust_value_to_string(valid));
2303 log_assert (mainpk);
2305 /* In case we did not found a valid textual userid above
2306 we print the first user id packet or a "[?]" instead along
2307 with the "Good|Expired|Bad signature" line. */
2310 /* Try for an invalid textual userid */
2311 for (un=keyblock; un; un = un->next)
2313 if (un->pkt->pkttype == PKT_USER_ID
2314 && !un->pkt->pkt.user_id->attrib_data)
2318 /* Try for any userid at all */
2321 for (un=keyblock; un; un = un->next)
2323 if (un->pkt->pkttype == PKT_USER_ID)
2328 if (opt.trust_model==TM_ALWAYS || !un)
2329 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2331 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2333 if (opt.trust_model != TM_ALWAYS && un)
2334 log_printf (" %s",_("[uncertain]") );
2338 /* If we have a good signature and already printed
2339 * the primary user ID, print all the other user IDs */
2342 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2345 for( un=keyblock; un; un = un->next)
2347 if (un->pkt->pkttype != PKT_USER_ID)
2349 if ((un->pkt->pkt.user_id->flags.revoked
2350 || un->pkt->pkt.user_id->flags.expired)
2351 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2353 /* Skip textual primary user ids which we printed above. */
2354 if (un->pkt->pkt.user_id->flags.primary
2355 && !un->pkt->pkt.user_id->attrib_data )
2358 /* If this user id has attribute data, print that. */
2359 if (un->pkt->pkt.user_id->attrib_data)
2361 dump_attribs (un->pkt->pkt.user_id, mainpk);
2363 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2364 show_photos (c->ctrl,
2365 un->pkt->pkt.user_id->attribs,
2366 un->pkt->pkt.user_id->numattribs,
2367 mainpk ,un->pkt->pkt.user_id);
2370 p = utf8_to_native (un->pkt->pkt.user_id->name,
2371 un->pkt->pkt.user_id->len, 0);
2372 log_info (_(" aka \"%s\""), p);
2375 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2379 if (un->pkt->pkt.user_id->flags.revoked)
2380 valid = _("revoked");
2381 else if (un->pkt->pkt.user_id->flags.expired)
2382 valid = _("expired");
2384 /* Since this is just informational, don't
2385 actually ask the user to update any trust
2387 valid = (trust_value_to_string
2388 (get_validity (c->ctrl, keyblock, mainpk,
2389 un->pkt->pkt.user_id, NULL, 0)));
2390 log_printf (" [%s]\n",valid);
2397 /* For good signatures print notation data. */
2400 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2401 show_policy_url (sig, 0, 1);
2403 show_policy_url (sig, 0, 2);
2405 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2406 show_keyserver_url (sig, 0, 1);
2408 show_keyserver_url (sig, 0, 2);
2410 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2413 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2414 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2416 show_notation (sig, 0, 2, 0);
2419 /* For good signatures print the VALIDSIG status line. */
2420 if (!rc && is_status_enabled () && pk)
2422 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2423 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2425 hexfingerprint (pk, pkhex, sizeof pkhex);
2426 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2428 /* TODO: Replace the reserved '0' in the field below with
2429 bits for status flags (policy url, notation, etc.). */
2430 write_status_printf (STATUS_VALIDSIG,
2431 "%s %s %lu %lu %d 0 %d %d %02X %s",
2433 strtimestamp (sig->timestamp),
2434 (ulong)sig->timestamp,
2435 (ulong)sig->expiredate,
2436 sig->version, sig->pubkey_algo,
2442 /* Print compliance warning for Good signatures. */
2443 if (!rc && pk && !opt.quiet
2444 && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
2445 pk->pkey, nbits_from_pk (pk), NULL))
2447 log_info (_("WARNING: This key is not suitable for signing"
2449 gnupg_compliance_option_string (opt.compliance));
2452 /* For good signatures compute and print the trust information.
2453 Note that in the Tofu trust model this may ask the user on
2454 how to resolve a conflict. */
2457 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2458 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2459 rc = check_signatures_trust (c->ctrl, sig);
2462 /* Print extra information about the signature. */
2463 if (sig->flags.expired)
2465 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2466 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2468 else if (sig->expiredate)
2469 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2473 char pkstrbuf[PUBKEY_STRING_SIZE];
2476 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2480 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2481 sig->sig_class==0x00?_("binary"):
2482 sig->sig_class==0x01?_("textmode"):_("unknown"),
2483 gcry_md_algo_name (sig->digest_algo),
2484 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2487 /* Print final warnings. */
2488 if (!rc && !c->signed_data.used)
2490 /* Signature is basically good but we test whether the
2492 gpg --verify FILE.sig
2494 gpg --verify FILE.sig FILE
2495 to verify a detached signature. If we figure out that a
2496 data file with a matching name exists, we print a warning.
2498 The problem is that the first form would also verify a
2499 standard signature. This behavior could be used to
2500 create a made up .sig file for a tarball by creating a
2501 standard signature from a valid detached signature packet
2502 (for example from a signed git tag). Then replace the
2503 sig file on the FTP server along with a changed tarball.
2504 Using the first form the verify command would correctly
2505 verify the signature but don't even consider the tarball. */
2509 dfile = get_matching_datafile (c->sigfilename);
2512 for (n = c->list; n; n = n->next)
2513 if (n->pkt->pkttype != PKT_SIGNATURE)
2517 /* Not only signature packets in the tree thus this
2518 is not a detached signature. */
2519 log_info (_("WARNING: not a detached signature; "
2520 "file '%s' was NOT verified!\n"), dfile);
2526 /* Compute compliance with CO_DE_VS. */
2527 if (pk && is_status_enabled ()
2528 && gnupg_gcrypt_is_compliant (CO_DE_VS)
2529 && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
2530 nbits_from_pk (pk), NULL)
2531 && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2532 write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2533 gnupg_status_compliance_flag (CO_DE_VS),
2536 free_public_key (pk);
2538 release_kbnode( keyblock );
2540 g10_errors_seen = 1;
2541 if (opt.batch && rc)
2546 write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
2547 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2548 sig->pubkey_algo, sig->digest_algo,
2549 sig->sig_class, (ulong)sig->timestamp,
2551 issuer_fpr? issuer_fpr:"-");
2552 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2554 write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
2555 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2557 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2558 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2561 free_public_key (pk);
2562 release_kbnode (included_keyblock);
2569 * Process the tree which starts at node
2572 proc_tree (CTX c, kbnode_t node)
2577 if (opt.list_packets || opt.list_only)
2580 /* We must skip our special plaintext marker packets here because
2581 they may be the root packet. These packets are only used in
2582 additional checks and skipping them here doesn't matter. */
2584 && node->pkt->pkttype == PKT_GPG_CONTROL
2585 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2592 c->trustletter = ' ';
2593 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2594 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2596 merge_keys_and_selfsig (c->ctrl, node);
2597 list_node (c, node);
2599 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2601 merge_keys_and_selfsig (c->ctrl, node);
2602 list_node (c, node);
2604 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2606 /* Check all signatures. */
2609 int use_textmode = 0;
2611 free_md_filter_context (&c->mfx);
2612 /* Prepare to create all requested message digests. */
2613 rc = gcry_md_open (&c->mfx.md, 0, 0);
2617 /* Fixme: why looking for the signature packet and not the
2619 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2620 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2622 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2625 /* Ask for file and hash it. */
2628 if (c->signed_data.used && c->signed_data.data_fd != -1)
2629 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2630 c->signed_data.data_fd,
2633 rc = hash_datafiles (c->mfx.md, NULL,
2634 c->signed_data.data_names,
2640 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2641 iobuf_get_real_fname (c->iobuf),
2648 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2652 else if (c->signed_data.used)
2654 log_error (_("not a detached signature\n"));
2658 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2659 check_sig_and_print (c, n1);
2662 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2663 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2665 /* Clear text signed message. */
2668 log_error ("cleartext signature without data\n");
2671 else if (c->signed_data.used)
2673 log_error (_("not a detached signature\n"));
2677 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2678 check_sig_and_print (c, n1);
2681 else if (node->pkt->pkttype == PKT_SIGNATURE)
2683 PKT_signature *sig = node->pkt->pkt.signature;
2684 int multiple_ok = 1;
2686 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2689 byte class = sig->sig_class;
2690 byte hash = sig->digest_algo;
2692 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2694 /* We can't currently handle multiple signatures of
2695 * different classes (we'd pretty much have to run a
2696 * different hash context for each), but if they are all
2697 * the same and it is detached signature, we make an
2698 * exception. Note that the old code also disallowed
2699 * multiple signatures if the digest algorithms are
2700 * different. We softened this restriction only for
2701 * detached signatures, to be on the safe side. */
2702 if (n1->pkt->pkt.signature->sig_class != class
2704 && n1->pkt->pkt.signature->digest_algo != hash))
2707 log_info (_("WARNING: multiple signatures detected. "
2708 "Only the first will be checked.\n"));
2714 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2716 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2718 else if (!c->any.data)
2720 /* Detached signature */
2721 free_md_filter_context (&c->mfx);
2722 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2724 goto detached_hash_err;
2728 /* If we have and want to handle multiple signatures we
2729 * need to enable all hash algorithms for the context. */
2730 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2731 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2732 gcry_md_enable (c->mfx.md,
2733 map_md_openpgp_to_gcry
2734 (n1->pkt->pkt.signature->digest_algo));
2737 if (RFC2440 || RFC4880)
2738 ; /* Strict RFC mode. */
2739 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2740 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2741 && sig->sig_class == 0x01)
2743 /* Enable a workaround for a pgp5 bug when the detached
2744 * signature has been created in textmode. Note that we
2745 * do not implement this for multiple signatures with
2746 * different hash algorithms. */
2747 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2749 goto detached_hash_err;
2752 /* Here we used to have another hack to work around a pgp
2753 * 2 bug: It worked by not using the textmode for detached
2754 * signatures; this would let the first signature check
2755 * (on md) fail but the second one (on md2), which adds an
2756 * extra CR would then have produced the "correct" hash.
2757 * This is very, very ugly hack but it may haved help in
2758 * some cases (and break others).
2759 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2764 gcry_md_debug (c->mfx.md, "verify");
2766 gcry_md_debug (c->mfx.md2, "verify2");
2771 if (c->signed_data.used && c->signed_data.data_fd != -1)
2772 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2773 c->signed_data.data_fd,
2774 (sig->sig_class == 0x01));
2776 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2777 c->signed_data.data_names,
2779 (sig->sig_class == 0x01));
2783 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2784 iobuf_get_real_fname(c->iobuf),
2785 (sig->sig_class == 0x01));
2791 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2795 else if (c->signed_data.used)
2797 log_error (_("not a detached signature\n"));
2800 else if (!opt.quiet)
2801 log_info (_("old style (PGP 2.x) signature\n"));
2805 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2806 check_sig_and_print (c, n1);
2809 check_sig_and_print (c, node);
2814 dump_kbnode (c->list);
2815 log_error ("invalid root packet detected in proc_tree()\n");